Terminal device, server device, content recording control system, recording method, and recording permission control method

ABSTRACT

A terminal device recording content onto a recording medium device, a permission to record the content onto the recording medium device being granted by a server device, the terminal device comprising: a generation unit generating a value calculated so as to represent subject content for which permission to record is requested; an information transmission unit requesting the permission from the server device by transmitting information indicating the value generated by the generation unit to the server device; a signature reception unit receiving subject content signature data from the server device, the subject content signature data being transmitted by the server device upon granting the permission; and a recording unit recording the subject content onto the recording medium device as one of plain-text data and encrypted data, as well as the subject content signature data received by the signature reception unit.

CROSS REFERENCE TO RELATED APPLICATION

This application claims benefit to the provisional U.S. Application61/496,188, filed on Jun. 13, 2011.

TECHNICAL FIELD

The present disclosure pertains to content protection technology usedwhen recording content onto a recording medium device.

DESCRIPTION OF THE RELATED ART

Advanced Access Content System (hereinafter, AACS) is known as copyrightprotection technology used for digital copyrighted works, such as moviesand music. For example, AACS is used to protect content recorded on aBlu-Ray Disc™ (hereinafter, BD).

An AACS-compliant terminal device playing back the content reads out thecontent recorded on a BD-ROM (which is a read-only medium) along with amedia key block (hereinafter, MKB) required to decrypt the content, thendecrypts the content using the MKB in combination with a device keyissued in advance. The terminal device is thus able to play back thecontent.

Incidentally, a need to copy or move (the term “copy” is hereinafterused to include move operations) content protected by AACS and acquiredby the terminal device to a recording medium device (e.g., SD memory)may arise in the course of playing back the content on a differentdevice.

CITATION LIST Non-Patent Literature [Non-Patent Literature 1]

-   Advanced Access Content System (AACS) Prepared Video Book Revision    0.95

[Non-Patent Literature 2]

-   Advanced Access Content System (AACS) Introduction and Common    Cryptographic Elements Revision 0.91

SUMMARY

However, freely allowing such copying of the content leads to aninability to maintain copyright protection therefor.

In consideration of this problem, one non-limiting and exemplaryEmbodiment provides a terminal device capable of inhibiting therecording of non-permitted content, such as illegitimately duplicatedcontent, onto a recording medium device.

In one general aspect, the technology here disclosed features a terminaldevice recording content onto a recording medium device, a permission torecord the content onto the recording medium device being granted by aserver device, the terminal device comprising: a generation unitgenerating a value calculated so as to represent subject content forwhich a permission to record onto the recording medium device isrequested; an information transmission unit requesting the permissionfrom the server device to record the subject content onto the recordingmedium device by transmitting information indicating the value generatedby the generation unit to the server device; a signature reception unitreceiving subject content signature data from the server device, thesubject content signature data being transmitted by the server deviceupon granting the permission to record the subject content onto therecording medium device; and a recording unit recording the subjectcontent onto the recording medium device as one of plain-text data andencrypted data, as well as the subject content signature data receivedby the signature reception unit.

According to the terminal device pertaining to the above aspect, onlycontent for which a permission to record has been granted by the serverdevice is recordable onto the recording medium device, thus inhibitingthe recording of illegitimately duplicated content.

These general and specific aspects may be implemented using a system, amethod, and a computer program, and any combination of systems, methods,and computer programs.

Additional benefits and advantages of the disclosed embodiments will beapparent from the specification and figures. The benefits and/oradvantages may be individually provided by the various embodiments andfeatures of the specification and drawings disclosure, and need not allbe provided in order to obtain one or more of the same.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram illustrating the system configuration of acontent distribution system 1000 pertaining to an exemplary Embodiment.

FIG. 2 is a block diagram illustrating the principal functionalconfiguration of a content production device 100 pertaining to theexemplary Embodiment.

FIG. 3 is a flowchart of a content production process by the contentproduction device 100 pertaining to the exemplary Embodiment.

FIG. 4 is a block diagram illustrating the principal functionalconfiguration of a key issuance device 200 pertaining to the exemplaryEmbodiment.

FIGS. 5A, 5B and 5C illustrate a data configuration example and samplecontent for a key distribution device certificate 10, a terminal devicecertificate 20, and a recording medium device certificate 30, eachgenerated by the key issuance device 200 pertaining to the exemplaryEmbodiment.

FIG. 6 is a flowchart indicating a key issuance process by the keyissuance device 200 pertaining to the exemplary Embodiment.

FIG. 7 is a block diagram illustrating the principal functionalconfiguration of a content distribution authentication device 300pertaining to the exemplary Embodiment.

FIG. 8 illustrates a data configuration example and sample content forwriteout authentication request data received by a content distributionauthentication device 300 pertaining to the exemplary Embodiment.

FIG. 9 is a flowchart of an authentication process by the contentdistribution authentication device 300 pertaining to the exemplaryEmbodiment.

FIG. 10 is a block diagram illustrating the principal functionalconfiguration of a key distribution device 400 pertaining to theexemplary Embodiment.

FIG. 11 illustrates a data configuration example for writeout requestdata received by the key distribution device 400 pertaining to theexemplary Embodiment.

FIG. 12 is a block diagram of sample mutual authentication operationspertaining to the exemplary Embodiment.

FIGS. 13A and 13B illustrate a data configuration example for unsigneddata 70 received by the key distribution device 400 and for signed data76 transmitted by the key distribution device 400 pertaining to theexemplary Embodiment.

FIG. 14 is a flowchart indicating a pre-distribution process by the keydistribution device 400 pertaining to the exemplary Embodiment.

FIG. 15 is a flowchart indicating a distribution process by the keydistribution device 400 pertaining to the exemplary Embodiment.

FIG. 16 is a block diagram illustrating the principal functionalconfiguration of a terminal device 500 performing a receiving andwriting process pertaining to the exemplary Embodiment.

FIG. 17 is a block diagram illustrating the principal functionalconfiguration of the terminal device 500 performing a playback processpertaining to the exemplary Embodiment.

FIG. 18 is a flowchart of the reception and writing process by theterminal device 500 pertaining to the exemplary Embodiment.

FIG. 19 is a flowchart of the playback process by the terminal device500 pertaining to the exemplary Embodiment.

FIG. 20 is a block diagram illustrating the principal functionalconfiguration of a recording medium device 600 pertaining to theexemplary Embodiment.

FIG. 21 is a flowchart indicating a writing process by the recordingmedium device 600 pertaining to the exemplary Embodiment.

FIG. 22 is a block diagram illustrating the configuration of a serverdevice 2400 and a terminal device 2500 in a content recording controlsystem 2000 pertaining to another exemplary Embodiment of the invention.

FIG. 23 is a flowchart of a recording method pertaining to the otherexemplary Embodiment of the invention.

FIG. 24 is a flowchart of a recording permission control methodpertaining to the other exemplary Embodiment of the invention.

FIG. 25 is a flowchart indicating a distribution process by a keydistribution device pertaining to a variant Embodiment.

FIG. 26 is a flowchart of the reception and writing process by aterminal device pertaining to the variant Embodiment.

FIG. 27 is a flowchart of the playback process by the terminal devicepertaining to the variant Embodiment.

FIG. 28 is a flowchart indicating a writing process by a recordingmedium device pertaining to the variant Embodiment.

DETAILED DESCRIPTION

The following describes a content distribution system 1000, including akey distribution device and a terminal device, as an exemplaryEmbodiment of a content recording management system, made up of a serverdevice and a terminal device, pertaining to the present disclosure.

Exemplary Embodiment

(Outline)

In order to, for example, play back content protected by AACS andacquired by the terminal device on a device other than the terminaldevice, the content may be copied onto a recording medium device (e.g.,SD memory) using non-AACS copyright protection technology.

Plausible methods for accomplishing such copying onto the recordingmedium device include, for example, having the terminal device decryptthe AACS-protected content (i.e., encrypted content) to acquireplain-text content, encrypt the plain-text content using a methodconforming to the non-AACS copyright protection technology, and thenwrite the result to the recording medium device.

However, this method involves granting the terminal device processingprivileges pertaining to content protection. In the event that theterminal device is hacked, there is a risk that content may be recordedonto the recording medium device without protection and thus beillicitly duplicated.

In consideration of this issue, the present disclosure has the keydistribution device determine whether or not to grant the terminaldevice a permission to record the content onto the recording mediumdevice, and generates signed data only when the permission is granted.The terminal device then records the signed data so generated with thecontent on the recording medium device. Also, a legitimate playbackdevice is unable to play back the content unless the signed data arealso recorded. Thus, the legitimate playback device is unable to playback content recorded alone onto the recording medium device by a hackedterminal device.

Accordingly, the recording of illicitly duplicated content and similardisallowed content onto the recording medium device in playable form isinhibited.

(System Configuration)

FIG. 1 is a block diagram illustrating the system configuration of acontent distribution system 1000 pertaining to the exemplary Embodiment.

The content distribution system 1000 is made up of a content productiondevice 100, a key issuance device 200, a content distributionauthentication device 300, a key distribution device 400, a terminaldevice 500, and a recording medium device 600.

The terminal device 500 is, for example, a DVD or BD player capable ofplaying back a recording medium, such as a DVD, BD, or similar opticaldisc, is able to connect to a network, and is installed in a user's homeor the like for content viewing purposes. The recording medium device600 is an SD card or similar memory card usable by insertion into a cardslot on the terminal device 500. The content distribution authenticationdevice 300 corresponds to the AACS managed copy authentication serverused in AACS.

The content production device 100 and the content distributionauthentication device 300 are connected via a network, as are the keyissuance device 200 and the key distribution device 400, and the contentdistribution authentication device 300, the key distribution device 400,and the terminal device 500.

(Configuration of Content Production Device 100)

FIG. 2 is a block diagram illustrating the functional configuration ofthe principal components of the content production device 100.

As shown, the content production device 100 includes a contentproduction device private key and certificate storage unit 111, amaterial storage unit 120, an editing unit 121, a title key storage unit130, a title key generation unit 131, a content storage unit 140, anencryption unit 141, a content ID storage unit 150, a content IDgeneration unit 151, a signature unit 152, a content distribution unit160, a UR storage unit 170, a UR input unit 171, and a content ID and URregistration unit 180.

The content production device 100 includes a processor, memory, and anetwork interface card (hereinafter, NIC). The functions of the editingunit 121, the title key generation unit 131, the encryption unit 141,the content ID generation unit 151, and the signature unit 152 are eachrealized by having the processor execute a program stored in the memory.Data transmission by the content ID and UR registration unit 180 isperformed using the NIC.

The content production device private key and certificate storage unit111 is a memory area for storing a content production device private keyand a paired content production device certificate. The details of thewriting process for the content production device private key andcertificate are omitted.

The material storage unit 120 is a memory area for storing audiovisualmaterials for a movie or similar. The production method for theaudiovisual materials themselves is omitted.

The editing unit 121 edits the materials stored in the material storageunit 120, then outputs the edited materials to the encryption unit 141.

The title key storage unit 130 is a memory area for storing a title key.

The title key generation unit 131 generates the title key for storage inthe title key storage unit 130. The title key is, for example, a 128-bitrandom number.

The content storage unit 140 is a memory area for storing encryptedcontent. Unless otherwise specified, encrypted content is hereinafterreferred to as content, while unencrypted content is referred to asplain-text content.

The encryption unit 141 encrypts the materials output from the editingunit 121 using the title key stored in the title key storage unit 130 togenerate content for storage in the content storage unit 140.

The content ID storage unit 150 is a memory area for storing a contentID having a signature.

The content ID generation unit 151 generates the content ID foridentifying the content according to the content stored in the contentstorage unit 140, and then outputs the content ID to the signature unit152. The content ID may be any information identifying the content, andmay be generated as follows, for example. In effect, the content isdivided into a plurality of portions, a hash value is calculated foreach portion, and a hash table is generated from the hash values socalculated. Furthermore, a hash value is calculated for the hash table,and this hash value is usable as the content ID. In the BD example, theCCID, which is a portion of the Content Cert specified in AACS, may beused as the content ID.

The signature unit 152 signs the content ID output by the content IDgeneration unit 151 using the content production device private keystored in the content production device private key and certificatestorage unit 111 and stores the result in the content ID storage unit150.

The content distribution unit 160 distributes the content stored in thecontent storage unit 140 and the hash table and so on generated duringthe generation process by the content ID generation unit 151 to theterminal device 500. No particular limitation is intended regarding themethod of distribution to the terminal device 500. However, in theexemplary Embodiment, the content distribution unit 160 records thecontent and so on onto a recording medium such as a DVD, BD, or similaroptical disc. Then, the recording medium on which the content isrecorded is sold through a physical market and thus distributed to theterminal device 500 installed in the user's home. The aforementionedhash table is used for content verification by the terminal device 500playing back the content recorded and distributed on the optical disc orthe like. In the AACS example, at playback time, the terminal devicecalculates hash values for seven randomly-selected points within each ofthe pieces of content. The playback device then compares the hash valueso calculated to hash values for the corresponding portions listed inthe distributed hash table, such that playback is permitted when allseven portions match.

The UR storage unit 170 is a memory area for storing Usage Rules(hereinafter, UR), which are conditions for content playback andcopying.

The UR input unit 171 includes a keyboard or similar input device,receives UR input from the operator or the like of the contentproduction device 100, and stores the UR in a predetermined format inthe UR storage unit 170.

The content ID and UR registration unit 180 registers the content IDstored in the content ID storage unit 150 and the UR stored in the URstorage unit 170 through transmission via the network to the contentdistribution authentication device 300.

(Production Process for Content Production Device 100)

FIG. 3 is a flowchart indicating the content production process by thecontent production device 100.

The order of operations given below as steps S110 through S190 is anexample of the content production processing. For example, provided thatstep S110 is completed before S160 begins, steps S120 and S130 arecompleted before step S140 begins, and steps S160 and S180 are completedbefore step S190 begins, the ordering of the steps is not limited tothat given below.

As indicated, the content production device private key and pairedcertificate are stored in the content production device private key andcertificate storage unit 111 (step S110).

The editing unit 121 edits the materials stored in the material storageunit 120 (step S120). The title key generation unit 131 generates atitle key for storage in the title key storage unit 130 (step S130).

The encryption unit 141 encrypts the materials edited by the editingunit 121 with the title key stored in the title key storage unit 130 togenerate content for storage in the content storage unit 140 (stepS140).

The content ID generation unit 151 generates the content ID according tothe content stored in the content storage unit 140. Also, the signatureunit 152 signs the content ID generated by the content ID generationunit 151, then stores the signed content ID in the content ID storageunit 150 (step S160).

The content distribution unit 160 distributes the content stored in thecontent storage unit 140 and the hash values and so on generated duringthe generation process by the content ID generation unit 151 to theterminal device 500 (step S170).

The UR input unit 171 receives the UR input from the operator or similarof the content production device 100 for storage in the UR storage unit170 (step S180). Also, the content ID and UR registration unit 180registers and transmits the content ID stored in the content ID storageunit 150 paired with the UR stored in the UR storage unit 170 throughtransmission to the content distribution authentication device 300 (stepS190). The content production device 100 then concludes the contentproduction process.

(Configuration of Key Issuance Device 200)

FIG. 4 is a block diagram illustrating the principal functionalconfiguration of the key issuance device 200.

As shown, the key issuance device 200 includes a root key pair storageunit 210, a root key pair generation unit 211, a root public keytransmission unit 212, a key distribution device private key andcertificate storage unit 220, a key distribution device key pairgeneration unit 221, a certificate generation unit 222, a keydistribution device private key and certificate transmission unit 223, aterminal device private key and certificate storage unit 230, a terminaldevice key pair generation unit 231, a certificate generation unit 232,a terminal device private key and certificate transmission unit 233, arecording medium device private key and certificate storage unit 240, arecording medium device key pair generation unit 241, a certificategeneration unit 242, and a recording medium device private key andcertificate transmission unit 243.

The key issuance device 200 includes a processor, memory, and a NIC. Thefunctions of the root key pair generation unit 211, the key distributiondevice key pair generation unit 221, certificate generation unit 222,the terminal device key pair generation unit 231, certificate generationunit 232, the recording medium device key pair generation unit 241, andcertificate generation unit 242 are each realized by having theprocessor execute a program stored in the memory. Also, datatransmission by the root public key transmission unit 212, the keydistribution device private key and certificate transmission unit 223,the terminal device private key and certificate transmission unit 233,and the recording medium device private key and certificate transmissionunit 243 is performed using the NIC.

The root key pair storage unit 210 is a memory area for storing a pairof keys made up of the root public key and the root private key for thekey issuance device 200. The root private key serves as the foundationof security in the content distribution system 1000 pertaining to theexemplary Embodiment.

The root key pair generation unit 211 generates the pair of keys, madeup of the root public key and the root private key for the key issuancedevice 200, for storage in the root key pair storage unit 210.

The root public key transmission unit 212 transmits the root public keystored in the root key pair storage unit 210 via the network to the keydistribution device 400, the terminal device 500, and the recordingmedium device 600.

The key distribution device private key and certificate storage unit 220is a memory area for storing a key distribution device private key andpaired certificate.

The key distribution device key pair generation unit 221 generates thepair of keys, made up of the key distribution device public key andprivate key, for the key distribution device 400, outputs the keydistribution device public key so generated to the certificategeneration unit 222, and stores the key distribution device private keyso generated in the key distribution device private key and certificatestorage unit 220.

The certificate generation unit 222 uses the root private key stored inthe root key pair storage unit 210 to sign the key distribution devicepublic key and the like output by the key distribution device key pairgeneration unit 221, thus generating a key distribution devicecertificate 10 for storage in the key distribution device private keyand certificate storage unit 220.

The following describes the key distribution device certificate 10.

FIG. 5A is a diagram illustrating the data configuration and samplecontent of the key distribution device certificate 10.

As shown, the key distribution device certificate 10 is made up of a keydistribution device ID 11, the key distribution device public key 12,ancillary data 13, and a signature 14.

The key distribution device ID 11 is the ID of the key distributiondevice 400, the key distribution device public key 12 is the keydistribution device public key generated by the key distribution devicekey pair generation unit 221, and the ancillary data 13 are, forexample, data indicating the issuance or expiration date of the keydistribution device certificate 10. Also, the signature 14 is thesignature generated by the certificate generation unit 222 for the keydistribution device ID 11, the key distribution device public key 12,and the ancillary data 13.

The key distribution device private key and certificate transmissionunit 223 transmits the key distribution device private key and pairedcertificate 10 stored in the key distribution device private key andcertificate storage unit 220 via the network to the key distributiondevice 400.

The terminal device private key and certificate storage unit 230 is amemory area for storing a terminal device private key and pairedcertificate 20.

The terminal device key pair generation unit 231 generates the pair ofkeys, made up of the terminal device public key and private key, for theterminal device 500, outputs the terminal device public key so generatedto the certificate generation unit 232, and stores the terminal deviceprivate key so generated in the terminal device private key andcertificate storage unit 230.

The certificate generation unit 232 uses the root private key stored inthe root key pair storage unit 210 to sign the terminal device publickey and so on output by the terminal device key pair generation unit231, thus generating the terminal device certificate 20 for storage inthe terminal device private key and certificate storage unit 230.

The following describes the terminal device certificate 20.

FIG. 5B is a diagram illustrating a data configuration example andsample content of the terminal device certificate 20.

As shown, the terminal device certificate 20 is made up of a terminaldevice ID 21, the terminal device public key 22, ancillary data 23, anda signature 24.

The terminal device ID 21 is the ID of the terminal device 500, theterminal device public key 22 is the terminal device public keygenerated by the terminal device key pair generation unit 231, and theancillary data 23 are, for example, data indicating the issuance orexpiration date of the terminal device certificate 20. Also, thesignature 24 is the signature generated by the certificate generationunit 232 for the terminal device ID 21, the terminal device public key22, and the ancillary data 23.

The terminal device private key and certificate transmission unit 233transmits the terminal device private key and paired certificate 20stored in the terminal device private key and certificate storage unit230 via the network to the terminal device 500.

The recording medium device private key and certificate storage unit 240is a memory area for storing a recording medium device private key andpaired certificate 30.

The recording medium device key pair generation unit 241 generates thepair of keys, made up of the recording medium device private key andpublic key, for the recording medium device 600, outputs the recordingmedium device public key so generated to the certificate generation unit242, and stores the recording medium device private key so generated inthe recording medium device private key and certificate storage unit240.

The certificate generation unit 242 uses the root private key stored inthe root key pair storage unit 210 to sign the recording medium devicepublic key and so on output by the recording medium device key pairgeneration unit 241, thus generating a recording medium devicecertificate 30 for storage in the recording medium device private keyand certificate storage unit 240.

The following describes the recording medium device certificate 30.

FIG. 5C is a diagram illustrating a data configuration example andsample content for the recording medium device certificate 30.

As shown, the recording medium device certificate 30 is made up of arecording medium device ID 31, the recording medium device public key32, ancillary data 33, and a signature 34.

The recording medium device ID 31 is the ID of the recording mediumdevice 600, the recording medium device public key 32 is the recordingmedium device public key generated by the recording medium device keypair generation unit 241, and the ancillary data 33 are, for example,data indicating the issuance or expiration date of the recording mediumdevice certificate 30. Also, the signature 34 is the signature generatedby the certificate generation unit 242 for the recording medium deviceID 31, the recording medium device public key 32, and the ancillary data33.

The recording medium device private key and certificate transmissionunit 243 transmits the recording medium device private key and pairedcertificate 30 stored in the recording medium device private key andcertificate storage unit 240 via the network to the recording mediumdevice 600.

(Key Issuance Process by Key Issuance Device 200)

FIG. 6 is a flowchart indicating the key issuance operations of the keyissuance device 200.

The order of operations given below as steps S210 through S250 is anexample of the key issuance processing. For example, any of steps S220,S240, and S250 may begin provided that step S210 has been completed.Also, steps S220, S240, and S250 may be completed in any order, providedthat step S210 is completed beforehand. No limitation is intendedregarding the order of steps S220, S240, and S250. That is, steps S220and S250 may occur after step S240 in the stated order or the opposite,and steps S220 and S240 may likewise occur after step S250 in the statedorder or the opposite.

The root key pair generation unit 211 of the key issuance device 200generates the pair of keys made up of the root public key and the rootprivate key for storage in the root key pair storage unit 210. The rootpublic key transmission unit 212 transmits the root public key sogenerated to the key distribution device 400, the terminal device 500,and the recording medium device 600 (step S210).

The key distribution device key pair generation unit 221 generates thepair of keys, made up of the key distribution device public key andprivate key, and stores the key distribution device private key sogenerated in the key distribution device private key and certificatestorage unit 220. The certificate generation unit 222 uses the rootprivate key stored in the root key pair storage unit 210 to sign the keydistribution device public key and the like generated by the keydistribution device key pair generation unit 221, thus generating a keydistribution device certificate 10 for storage in the key distributiondevice private key and certificate storage unit 220. Also, the keydistribution device private key and certificate transmission unit 223transmits the key distribution device private key and paired certificate10 stored in the key distribution device private key and certificatestorage unit 220 to the key distribution device 400 (step S220).

The terminal device key pair generation unit 231 generates the pair ofkeys, made up of the terminal device public key and private key, andstores the terminal device private key so generated in the terminaldevice private key and certificate storage unit 230. Also, thecertificate generation unit 232 uses the root private key stored in theroot key pair storage unit 210 to sign the terminal device public keyand so on generated by the terminal device key pair generation unit 231,thus generating the terminal device certificate 20 for storage in theterminal device private key and certificate storage unit 230. Theterminal device private key and certificate transmission unit 233transmits the terminal device private key and paired certificate 20stored in the terminal device private key and certificate storage unit230 to the terminal device 500 (step S240).

The recording medium device key pair generation unit 241 generates thepair of keys, made up of the recording medium device private key andpublic key, and stores the recording medium device private key sogenerated in the recording medium device private key and certificatestorage unit 240. Also, the certificate generation unit 242 uses theroot private key stored in the root key pair storage unit 210 to signthe recording medium device public key and so on generated by therecording medium device key pair generation unit 241, thus generating arecording medium device certificate 30 for storage in the recordingmedium device private key and certificate storage unit 240. Therecording medium device private key and certificate transmission unit243 transmits the recording medium device private key and pairedcertificate 30 stored in the recording medium device private key andcertificate storage unit 240 to the recording medium device 600 (stepS250). The key issuance device 200 then concludes the key issuanceprocess.

(Configuration of Content Distribution Authentication Device 300)

FIG. 7 is a block diagram illustrating the principal functionalconfiguration of the content distribution authentication device 300.

As shown, the content distribution authentication device 300 includes acontent ID and UR storage unit 310, a content ID and UR reception unit320, a writeout authentication request reception unit 330, anauthentication determination and authentication ID generation unit 340,an authentication result and authentication ID notification unit 350,and an authentication ID and UR registration unit 360.

The content distribution authentication device 300 includes a processor,memory, and a NIC. The function of the authentication determination andauthentication ID generation unit 340 is realized by having theprocessor execute a program stored in the memory. Data transfer by thecontent ID and UR reception unit 320, the writeout authenticationrequest reception unit 330, the authentication result and authenticationID notification unit 350, and the authentication ID and UR registrationunit 360 is performed using the NIC.

The content ID and UR storage unit 310 is a memory area for storing thecontent ID and paired UR.

The content ID and UR reception unit 320 receives the content ID and URfrom the content production device 100 via the network for storage inthe content ID and UR storage unit 310.

The writeout authentication request reception unit 330 receives writeoutauthentication request data 40 from the terminal device 500 via thenetwork for output to the authentication determination andauthentication ID generation unit 340.

FIG. 8 is a diagram illustrating a data configuration example and samplecontent for the writeout authentication request data 40.

As shown, the writeout authentication request data 40 includes thecontent ID 41, a coupon code 42, and supplementary information 43. Inparticular, the content ID 41 is an identifier for content that theterminal device 500 is attempting to record to the recording mediumdevice 600. In FIG. 8, a sample content ID of 0008 is given.

The authentication determination and authentication ID generation unit340 determines whether or not any content ID matching the content ID 41in the writeout authentication request data 40 output by the writeoutauthentication request reception unit 330 is stored in the content IDand UR storage unit 310, and generates determination resultsaccordingly. Specifically, in the affirmative case, the authenticationdetermination and authentication ID generation unit 340 generates anauthentication ID and an authentication result indicating success and,in the negative case, generates an authentication result indicatingfailure. In either case, the data so generated are output to theauthentication result and authentication ID notification unit 350. Theauthentication determination and authentication ID generation unit 340also outputs the authentication ID so generated to the authentication IDand UR registration unit 360.

The authentication result and authentication ID notification unit 350transmits the authentication result output by the authenticationdetermination and authentication ID generation unit 340 via the networkto the terminal device 500. In particular, upon being output from theauthentication determination and authentication ID generation unit 340,the authentication ID is also transmitted to the terminal device 500 viathe network.

The authentication ID and UR registration unit 360 transmits theauthentication ID output by the authentication determination andauthentication ID generation unit 340 and the paired UR stored in thecontent ID and UR storage unit 310 via the network to the keydistribution device 400.

(Authentication Process by Content Distribution Authentication Device300)

FIG. 9 is a flowchart indicating the authentication processing by thecontent distribution authentication device 300.

The order of operations given below as steps S310 through S350 is anexample of the authentication processing. For example, provided thatstep S310 is completed before S320 begins, the order of operations isnot limited to that of the steps given below.

The content ID and UR reception unit 320 of the content distributionauthentication device 300 receives the content ID and the UR from thecontent production device 100 for storage in the content ID and URstorage unit 310 (step S310).

The writeout authentication request reception unit 330 receives thewriteout authentication request data 40 from the terminal device 500(step S320). Subsequently, the authentication determination andauthentication ID generation unit 340 determines whether or not thecontent ID 41 in the writeout authentication request data 40 receivedfrom the writeout authentication request reception unit 330 matches thecontent ID stored in the content ID and UR storage unit 310 (step S330).

In the affirmative case (YES in step S330), the authenticationdetermination and authentication ID generation unit 340 generates theauthentication ID along with an authentication result indicatingsuccess, and the authentication result and ID notification unit 350transmits the authentication result and authentication ID to theterminal device 500 (step S340). Next, the authentication ID and URregistration unit 360 registers the authentication ID generated by theauthentication determination and authentication ID generation unit 340and the paired UR stored in the content ID and UR storage unit 310through transmission to the key distribution device 400 (step S350). Thecontent distribution authentication device 300 thus concludes theauthentication process.

However, when step S330 returns no matching content ID (NO in stepS330), the authentication determination and authentication ID generationunit 340 generates an authentication result indicating failure, and theauthentication result and authentication ID notification unit 350transmits the authentication result to the terminal device 500 (stepS345). The content distribution authentication device 300 thus concludesthe authentication process.

(Configuration of Key Distribution Device 400)

FIG. 10 is a block diagram illustrating the principal functionalconfiguration of the key distribution device 400.

As shown, the key distribution device 400 includes a root public keystorage unit 410, a root public key reception unit 411, a keydistribution device private key and certificate storage unit 415, a keydistribution device private key and certificate reception unit 416, anauthentication ID and UR storage unit 420, an authentication ID and URreception unit 421, a writeout request reception unit 430, a mutualauthentication unit 440, a recording medium device ID acquisition unit441, a determination unit 442, a title key generation unit 450, a MACcalculation unit 451, a MAC and UR transmission unit 452, a title keycalculation unit 453, a title key transmission unit 454, an encryptionand decryption unit 455, a position designation unit 460, an unsigneddata and content reception unit 461, a verification unit 462, asignature unit 470, and a signed data transmission unit 471.

The key distribution device 400 includes a processor, memory, and a NIC.The functions of the mutual authentication unit 440, the recordingmedium device ID acquisition unit 441, the determination unit 442, thetitle key generation unit 450, the MAC calculation unit 451, the titlekey calculation unit 453, the encryption and decryption unit 455, theposition designation unit 460, the verification unit 462, and thesignature unit 470 are each realized by having the processor execute aprogram stored in the memory. Also, data transfer by the root public keyreception unit 411, the key distribution device private key andcertificate reception unit 416, the authentication ID and UR receptionunit 421, the writeout request reception unit 430, the mutualauthentication unit 440, the MAC and UR transmission unit 452, the titlekey transmission unit 454, the encryption and decryption unit 455, theposition designation unit 460, the unsigned data and content receptionunit 461, and the signed data transmission unit 471 is performed usingthe NIC.

The root public key storage unit 410 is a memory area for storing theroot public key.

The root public key reception unit 411 receives the root public keytransmitted by the key issuance device 200 via the network for storagein the root public key storage unit 410.

The key distribution device private key and certificate storage unit 415is a memory area for storing a key distribution device private key andpaired certificate.

The key distribution device private key and certificate reception unit416 receives the key distribution device private key and pairedcertificate transmitted via the network from the key issuance device 200for storage in the key distribution device private key and certificatestorage unit 415.

The authentication ID and UR storage unit 420 is a memory area forstoring the authentication ID and paired UR.

The authentication ID and UR reception unit 421 receives theauthentication ID and paired UR transmitted via the network from thecontent distribution authentication device 300 for storage in theauthentication ID and UR storage unit 420.

The writeout request reception unit 430 receives the writeout requestdata 50 from the terminal device 500 via the network for output to thedetermination unit 442.

FIG. 11 is a diagram illustrating a data configuration example andsample content for the writeout request data 50.

As shown, the writeout request data 50 are made up of the authenticationID 51 and a recording medium device ID 52.

The authentication ID 51 is the authentication ID received by theterminal device 500 from the content distribution authentication device300. Also, the recording medium device ID 52 is the ID of the recordingmedium device 600 onto which the terminal device 500 is attempting torecord the content.

The mutual authentication unit 440 performs mutual authentication withthe terminal device 500 and with the recording medium device 600,sharing a common key therewith.

FIG. 12 is a block diagram illustrating a sample order of operations formutual authentication as performed between host/server authenticators Aand B.

In this example, host/server authenticator A is the key distributiondevice 400 while host/server authenticator B is the terminal device 500or the recording medium device 600.

The mutual authentication unit of host/server authenticator A includes arandom number generator A10, a decryptor A20, a random number comparatorA30, and an encryptor A40. Similarly, the mutual authentication unit ofhost-server authenticator B includes an encryptor B10, a random numbergenerator B20, a decrypter B30, and a random number comparator B40.

(Authentication of Host/Server Authenticator B by Host/ServerAuthenticator A)

(a) The random number generator A10 in host/server authenticator Agenerates random number R1 for transmission to host/server authenticatorB.(b) The encryptor B10 in host/server authenticator B encrypts the randomnumber R1 received from host/server authenticator A using a specific keyKsc (E (Ksc, R1)), and transmits the encrypted random number R1 (E (Ksc,R1)) to host/server authenticator A.(c) The decryptor A20 in host/server authenticator A decrypts the data E(Ksc, R1) received from host/server authenticator B using the specifickey Ksc (D (Ksc, (E (Ksc, R1)))) (=R1). This example representssuccessful authentication.(d) The random number comparator A30 in host/server authenticator Acompares the results of decryption D (Ksc, (E (Ksc, R1))) from step (c)to the random number R1 generated in step (a). When matching occurs,host/server authenticator A receives an authentication result to theeffect that host/server authenticator B is a legitimate module.

(Authentication of Host/Server Authenticator A by Host/ServerAuthenticator B)

(e) The random number generator B20 in host/server authenticator Bgenerates random number R2 for transmission to host/server authenticatorA.(f) The encryptor A40 in host/server authenticator A receives the randomnumber R2 from host/server authenticator B, performs encryption usingthe specific key Ksc (E (Ksc, R2)), and transmits the encrypted randomnumber R2 (E (Ksc, R2)) to host/server authenticator B(g) The decryptor B30 in host/server authenticator B decrypts the data E(Ksc, R2) received from host/server authenticator A using the specifickey Ksc (D (Ksc, (E (Ksc, R2)))) (=R2). This example representssuccessful authentication.(h) The random number comparator B40 in host/server authenticator Bcompares the results of decryption D (Ksc, (E (Ksc, R2))) from step (g)to the random number R2 generated in step (e). When matching occurs,host/server authenticator B receives an authentication result to theeffect that host/server authenticator A is a legitimate module.

Upon receiving, in steps (d) and (h), notification to the effect thatthe other module is legitimate, host/server authenticators A and Bobtain a common key by applying a one-way function to R1∥R2 using Ksc,where ∥ signifies data concatenation.

Although not detailed above, the mutual authentication performed betweenthe key distribution device 400 and the terminal device 500 or betweenthe key distribution device 400 and the recording medium device 600 mayresult in not only a common key but also a certificate being exchanged.The details of the certificate obtaining process are described inNon-Patent Literature 2, section 4.3 “Drive Authentication Algorithm forAACS (AACS-Auth)” (with particular reference to steps 7 and 13). Themutual authentication process is given as an example. Other approachesto mutual authentication may also be employed.

The remaining components of the key distribution device 400 aredescribed with continued reference to FIG. 10.

The recording medium device ID acquisition unit 441 acquires therecording medium device ID 31 written in the recording medium devicecertificate 30 received during the mutual authentication performed bythe mutual authentication unit 440 with the recording medium device 600,and outputs the certificate 30 to the determination unit 442 and the MACcalculation unit 451.

The determination unit 442 determines whether or not to grant thewriteout request from the terminal device 500. Specifically, thedetermination unit 442 determines whether or not any authentication IDmatching the authentication ID included in the writeout request data 50output by the writeout request reception unit 430 is stored in theauthentication ID and UR storage unit 420. Also, the determination unit442 determines whether or not the recording medium device ID included inthe writeout request data 50 output by the writeout request receptionunit 430 matches the recording medium device ID output by the recordingmedium device ID acquisition unit 441. When the authentication ID isstored and the recording medium device IDs match, the determination unit442 outputs determination results indicating that the writeout requestis granted to the title key generation unit 450. Conversely, when theauthentication ID is not stored or the recording medium device IDs donot match, the determination unit 442 outputs determination resultsindicating that the writeout request is not granted to the title keygeneration unit 450.

When the determination results output by the determination unit 442indicate that the writeout request is granted, the title key generationunit 450 generates the title key for output to the MAC calculation unit451, the title key calculation unit 453, and the verification unit 462.However, when the determination results output by the determination unit442 indicate that the writeout request is not granted, the title keygeneration unit 450 outputs the determination results to the MAC and URtransmission unit 452 through the MAC calculation unit 451.

The MAC calculation unit 451 uses the title key output by the title keygeneration unit 450 to calculate a message authentication code(hereinafter, MAC) for the recording medium device ID output by therecording medium device ID acquisition unit 441, and outputs the MACvalue so calculated to the MAC and UR transmission unit 452.

The MAC and UR transmission unit 452 transmits the MAC value for therecording medium device ID output by the MAC calculation unit 451 andthe UR stored in the authentication ID and UR storage unit 420 via thenetwork to the terminal device 500. Upon receiving the notification ofdetermination results from the title key generation unit 450 via the MACcalculation unit 451 indicating that the writeout request is notgranted, the MAC and UR transmission unit 452 outputs the determinationresults to the terminal device 500.

The title key calculation unit 453 calculates a hash value for the URstored in the authentication ID and UR storage unit 420 and generates acalculated title key by applying a simple set of reversible operations,such as XOR, to the calculated hash value and the title key output bythe title key generation unit 450. The title key calculation unit 453outputs the calculated title key so generated to the title keytransmission unit 454.

The title key transmission unit 454 transmits the calculated title keyoutput by the title key calculation unit 453 via the encryption anddecryption unit 455 to the recording medium device 600 via the network.The recording medium device 600 is used by insertion in a card slot onthe terminal device 500. As described below, the transmission of thecalculated title key to the recording medium device 600 is actuallyperformed through the terminal device 500. However, in suchtransmissions, the terminal device 500 serves only as the communicationchannel between the key distribution device 400 and the recording mediumdevice 600, and is fundamentally unconcerned with the content of thecommunicated data. That is, although communications are performedthrough the terminal device 500, these are considered equivalent todirect communication between the key distribution device 400 and therecording medium device 600.

The encryption and decryption unit 455 uses the common key generatedduring the mutual authentication process by the mutual authenticationunit 440 to encrypt the calculated title key generated by the title keycalculation unit 453 for transmission to the recording medium device600. The calculated title key is thus securely transmitted to therecording medium device 600.

As described below, the position designation unit 460 generates positiondesignation information designating a portion of content (hereinafter,content portion) to be subject to hash value comparison by theverification unit 462, in terms of position and size within the contentthat the terminal device is attempting to write to the recording mediumdevice 600, and transmits the position designation information sogenerated via the network to the terminal device 500. The positiondesignation unit 460 also outputs the position designation informationso generated to the verification unit 462. The position designation unit460 may select the position within the content randomly, or inaccordance with some rule.

The unsigned data and content reception unit 461 receives the unsigneddata 70 from the terminal device 500 via the network, outputs theunsigned data 70 so received to the verification unit 462, and notifiesthe position designation unit 460 of unsigned data 70 reception. Theunsigned data and content reception unit 461 also receives, from theterminal device 500, the content portion designated in the positiondesignation information output by the position designation unit 460, andoutputs the content portion to the verification unit 462.

FIG. 13A indicates a sample data configuration for the unsigned data 70.

As shown, the unsigned data 70 are made up of hash data 1 71, 2 72, . .. N 73, supplementary information 74, and a reserved signature portion75.

Each piece of hash data (reference signs 71 through 73) is a hash valuefor the corresponding encrypted content portion, as divided. Althoughthe pieces of hash data are here described as hash values calculated forthe encrypted content, the hash values may also be calculated forunencrypted portions of plain-text content.

The reserved signature portion 75 is a reserved area for storing asignature 78 in later-described signed data 76. The supplementaryinformation 74 is, for example, information specifying or pertaining tothe content, used for content associations.

The verification unit 462 verifies the legitimacy of the unsigned data70 output by the unsigned data and content reception unit 461.Specifically, the verification unit 462 encrypts the content portionoutput by the unsigned data and content reception unit 461 using thetitle key output by the title key generation unit 450, and calculates ahash value therefor. The verification unit 462 then determines whetheror not the hash value so calculated matches the hash value correspondingto the above-described content portion as written in the unsigned data70, and outputs determination results to the signature unit 470indicating that the unsigned data 70 are legitimate when matchingoccurs, and indicating that the unsigned data 70 are illegitimate whenno matching occurs. The verification unit 462 specifies the hash valuecorresponding to the content portion among the hash values written inthe unsigned data 70 according to the position designation informationreceived from the position designation unit 460.

Upon receiving determination results from the verification unit 462indicating that the unsigned data 70 are legitimate, the signature unit470 uses the key distribution device private key stored in the keydistribution device private key and certificate storage unit 415 to signthe unsigned data 70, thus generating signed data 76. The signature unit470 outputs the signed data 76 so generated to the signed datatransmission unit 471. Upon receiving determination results from theverification unit 462 indicating that the unsigned data 70 areillegitimate, the signature unit 470 outputs the determination resultsto the signed data transmission unit 471.

FIG. 13B indicates a sample data configuration for the signed data 76.

As shown, the signed data 76 are made up of hash data 1 71, 2 72, . . .N 73, supplementary information 77, and a signature 78.

The hash data (reference signs 71 through 73) are identical to thoseincluded in the unsigned data 70. The signature 78 is generated by usingthe key distribution device private key on the hash data (referencesigns 71 through 73) and the supplementary information 77. Thesupplementary information 77 may include the original data used tocalculate the hash data, information indicating the position and sizewithin the content indicating such original data, or similar. Thesupplementary information 77 is not limited to the content portion butmay also include information designating something other than a contentportion, or designate information unrelated to content portions.

The signed data transmission unit 471 transmits the signed data 76output by the signature unit 470 to the terminal device 500 via thenetwork. Upon receiving determination results from the signature unit470 indicating that the unsigned data 70 are illegitimate, the signeddata transmission unit 471 outputs the determination results to theterminal device 500.

(Process by Key Distribution Device 400)

The pre-distribution process by the key distribution device 400 isdescribed first.

FIG. 14 is a flowchart indicating the pre-distribution process by thekey distribution device 400.

The order of operations for the pre-distribution process made up ofsteps S410 and S420 is given as an example, below. No limitation isintended regarding the order of the steps. That is, step S420 may beexecuted before step S410.

The root public key reception unit 411 of the key distribution device400 receives the root public key from the key issuance device 200 forstorage in the root public key storage unit 410. Also, the keydistribution device private key and certificate reception unit 416receives the key distribution device private key and paired certificatefrom the key issuance device 200 for storage in the key distributiondevice private key and certificate storage unit 415 (step S410).

The authentication ID and UR reception unit 421 receives theauthentication ID and paired UR from the content distributionauthentication device 300 for storage in the authentication ID and URstorage unit 420 (step S420). The key distribution device 400 thenconcludes the pre-distribution process.

The distribution process by the key distribution device 400 is describednext.

FIG. 15 is a flowchart indicating the distribution process by the keydistribution device 400.

The writeout request reception unit 430 of the key distribution device400 receives the writeout request data 50 from the terminal device 500(step S440). The determination unit 442 determines whether or not togrant the writeout request from the terminal device 500 according to thewriteout request data 50 so received (step S445). Specifically, thedetermination unit 442 verifies whether or not a match for theauthentication ID 51 in the writeout request data 50 received by thewriteout request reception unit 430 is stored in the authentication IDand UR storage unit 420, and whether or not the recording medium deviceID 52 in the writeout request data 50 matches the recording mediumdevice ID acquired by the recording medium device ID acquisition unit441.

When the authentication ID is not stored or the recording medium deviceIDs do not match (NO in step S445), the determination unit 442 outputsdetermination results indicating that the writeout request from theterminal device 500 is not granted to the terminal device 500 via thetitle key generation unit 450, the MAC calculation unit 451, and the MACand UR transmission unit 452 (step S490). The key distribution device400 then concludes the distribution process.

Conversely, when the authentication ID is stored and the recordingmedium device IDs match (YES in step S445), the mutual authenticationunit 440 performs mutual authentication with the recording medium device600 confirming whether or not the recording medium device 600 istrustworthy and simultaneously generating a common key. The subsequenttransfers use the common key to protect data by encryption anddecryption (step S450).

The title key generation unit 450 generates the title key. The MACcalculation unit 451 uses the title key generated by the title keygeneration unit 450 to calculate a MAC value for the recording mediumdevice ID acquired by the recording medium device ID acquisition unit441. Also, the MAC and UR transmission unit 452 transmits the MAC valuefor the recording medium device ID as calculated by the MAC calculationunit 451 and the UR stored in the authentication ID and UR storage unit420 to the terminal device 500 (step S455).

The title key calculation unit 453 calculates a hash value for the URstored in the authentication ID and UR storage unit 420 and generates acalculated title key by applying a simple set of reversible operations,such as XOR, to the generated hash value and the title key output by thetitle key generation unit 450. The title key transmission unit 454transmits the calculated title key generated by the title keycalculation unit 453 through the encryption and decryption unit 455 tothe recording medium device 600 (step S460).

The unsigned data and content reception unit 461 receives the unsigneddata 70 from the terminal device 500 (step S465). The positiondesignation unit 460 generates position designation information for thecontent portion subject to determination in the later-described stepS470, and transmits this information along to the terminal device 500(step S467).

The unsigned data and content reception unit 461 receives, from theterminal device 500, the content portion designated by the positiondesignation information transmitted by the position designation unit 460(step S469). The verification unit 462 verifies the legitimacy of theunsigned data 70 received by the unsigned data and content receptionunit 461 (step S470). Specifically, the verification unit 462 encryptsthe content portion received by the unsigned data and content receptionunit 461 using the title key generated in step S455 by the title keygeneration unit 450 and generates a hash value therefor. Theverification unit 462 determines whether or not the hash value socalculated matches the hash value corresponding to the content portionwritten in the unsigned data 70.

In the negative case (NO in step S470), the verification unit 462outputs, via the signature unit 470 and the signed data transmissionunit 471, verification results to the terminal device 500 indicatingthat the unsigned data 70 are illegitimate (step S490). The keydistribution device 400 then concludes the distribution process.

Conversely, in the affirmative case (YES in step S470), the signatureunit 470 uses the key distribution device private key stored in the keydistribution device private key and certificate storage unit 415 to signthe signature target portion of the unsigned data 70, thus generatingsigned data 76. Also, the signed data transmission unit 471 transmitsthe signed data 76 generated by the signature unit 470 to the terminaldevice 500 (step S475). The key distribution device 400 then concludesthe distribution process.

(Configuration of Terminal Device 500)

FIG. 16 is a block diagram illustrating the functional configuration ofthe principal components of the terminal device 500 for a reception andwriting process, while FIG. 17 is a block diagram illustrating thefunctional configuration of the principal components of the terminaldevice 500 for a playback process.

With reference to FIG. 16, the following describes the configuration ofthe terminal device 500, in concert with the content distributionauthentication device 300 and the key distribution device 400,pertaining to reception of data, such as keys and content, required forcontent protection and playback, and to writing to the recording mediumdevice 600. Similarly, with reference to FIG. 17, the followingdescribes the configuration of the terminal device 500 pertaining toreading content and data, such as keys, from the recording medium device600 for playback, provided that the aforementioned writing of contentand data to the recording medium device 600 has been completed.Components repeated in the reception and writing process and in theplayback process use the same names and reference signs in both FIGS. 16and 17.

As shown, the terminal device 500 includes a terminal device private keyand certificate storage unit 510, a root public key storage unit 511, acontent acquisition unit 520, a content ID acquisition unit 521, awriteout authentication request transmission unit 522, an authenticationresult and authentication ID reception unit 523, a mutual authenticationunit 530, a recording medium device ID acquisition unit 531, a writeoutrequest transmission unit 532, an encryption and decryption unit 533, atitle key acquisition unit 540, a MAC, UR, and signed data receptionunit 541, a MAC UR and signed data recording unit 542, a title keystorage unit 545, a title key recalculation unit 546, an encryption unit550, a content recording unit 551, a hash calculation and unsigned datageneration unit 560, an unsigned data and content transmission unit 561,a transportation unit 570, a MAC reading unit 580, a UR reading unit581, a first playback determination unit 582, a signed data reading unit585, a content reading unit 586, a second playback determination unit587, a content decryption unit 590, and a content playback unit 591.

The terminal device 500 includes a processor, memory, and a NIC. Thefunctions of the writeout authentication request transmission unit 522,the mutual authentication unit 530, the recording medium device IDacquisition unit 531, the writeout request transmission unit 532, theencryption and decryption unit 533, the title key acquisition unit 540,the title key recalculation unit 546, the encryption unit 550, the hashcalculation and unsigned data generation unit 560, the first playbackdetermination unit 582, the second playback determination unit 587, thecontent decryption unit 590, and the content playback unit 591 are eachrealized by having the processor execute a program stored in the memory.Also, data transfer by the writeout authentication request transmissionunit 522, the authentication result and authentication ID reception unit523, the mutual authentication unit 530, the writeout requesttransmission unit 532, the MAC, UR, and signed data reception unit 541,the unsigned data and content transmission unit 561, and thetransportation unit 570 is performed using the NIC.

The terminal device private key and certificate storage unit 510 is amemory area for storing a terminal device private key and pairedcertificate 20. In practice, the writing of the terminal device privatekey and certificate 20 to the terminal device private key andcertificate storage unit 510 is realized by a terminal manufacturingapparatus writing the private key and certificate generated by the keyissuance device 200 during manufacture of the terminal device 500. Thedetails of the writing process for the terminal device private key andcertificate 20 are omitted.

The root public key storage unit 511 is a memory area for storing theroot public key. In practice, the writing of the root public key to theroot public key storage unit 511 is realized during manufacture of theterminal device 500 by the terminal manufacturing apparatus writing theroot public key generated by the key issuance device 200. The details ofthe writing process for the root public key are omitted.

The content acquisition unit 520 acquires the content distributed by thecontent production device 100. The content acquisition unit 520 outputsthe content so acquired to the content ID acquisition unit 521 andoutputs plain-text content, obtained by decrypting the acquired content,to the encryption unit 550 and to the unsigned data and contenttransmission unit 561. As described above, in the exemplary Embodiment,content distribution by the content production device 100 is realizedby, for example, inserting a recording medium such as a DVD or BD onwhich content is recorded into the disc drive of the terminal device500.

The content ID acquisition unit 521 acquires the content ID of thecontent output by the content acquisition unit 520 and outputs the ID tothe writeout authentication request transmission unit 522. The contentID acquisition unit 521 acquires the content ID by generating thecontent ID as described above for the content ID generation unit 151 ofthe content production device 100.

The writeout authentication request transmission unit 522 generateswriteout authentication request data 40 (see FIG. 8), including thecontent ID output by the content ID acquisition unit 521, for output tothe content distribution authentication device 300.

The authentication result and authentication ID reception unit 523receives, from the content distribution authentication device 300, theauthentication result based on the writeout authentication request data40 transmitted by the writeout authentication request transmission unit522. Specifically, the authentication result and authentication IDreception unit 523 further receives the authentication ID when theauthentication result indicates success, then outputs the authenticationID so received to the writeout request transmission unit 532. In AACS,for example, a common mechanism may be used for transmitting thewriteout authentication request data and receiving the authenticationresult (i.e., managed copy).

The mutual authentication unit 530 performs mutual authentication withthe key distribution device 400 and with the recording medium device600, sharing a common key and exchanging certificates (the keydistribution device certificate 10, the terminal device certificate 20,and the recording medium device certificate 30) therewith. Theoperations involved in the mutual authentication are as described above(see FIG. 12).

The recording medium device ID acquisition unit 531 acquires therecording medium device ID 31 written in the recording medium devicecertificate 30 received during mutual authentication with the recordingmedium device 600 by the mutual authentication unit 530, and outputs theID to the writeout request transmission unit 532.

The writeout request transmission unit 532 generates writeout requestdata 50 (see FIG. 11) that includes the authentication ID output by theauthentication result and authentication ID reception unit 523 and therecording medium device ID output by the recording medium device IDacquisition unit 531, then transmits the data so generated to the keydistribution device 400.

The encryption and decryption unit 533 uses the common key generatedduring the mutual authentication process by the mutual authenticationunit 530 to encrypt the data at transmission time and decrypt the dataat reception time, and thus securely exchanges data with the recordingmedium device 600. Specifically, the encryption and decryption unit 533receives the calculated title key, as encrypted using the common key,from the recording medium device 600 and uses the common key to decrypt,and thus safely receive, the calculated title key.

The title key acquisition unit 540 acquires the calculated title keyfrom the recording medium device 600 through the encryption anddecryption unit 533 for output to the title key recalculation unit 546.

The MAC, UR, and signed data reception unit 541 receives the MAC valuefor the recording medium device ID of the recording medium device 600,the UR for the content corresponding to the authentication ID 51included in the writeout request data 50 transmitted by the writeoutrequest transmission unit 532, and the signed data from the keydistribution device 400, and outputs these to the MAC, UR, and signeddata recording unit 542. The MAC, UR, and signed data reception unit 541also outputs the UR so received to the title key recalculation unit 546.The MAC, UR, and signed data reception unit 541 also receivesdetermination results indicating that the writeout request is notgranted when such determination results have been transmitted from thekey distribution device 400.

The MAC, UR, and signed data recording unit 542 records the MAC value,UR, and signed data output by the MAC, UR, and signed data receptionunit 541 to the recording medium device 600.

The title key storage unit 545 is a memory area for storing a title key.

The title key recalculation unit 546 calculates a hash value for the UR,acquires the original title key by applying the simple set of reversibleoperations, such as XOR, to the calculated hash value and to thecalculated title key output by the title key acquisition unit 540, andstores the original title key in the title key storage unit 545. Inpractice, the UR used for the hash value calculation in the receptionand writing process is output by the MAC, UR, and signed data receptionunit 541, while in the playback process, the UR so used is output fromthe UR reading unit 581.

The encryption unit 550 encrypts plain-text content output by thecontent acquisition unit 520 using the title key stored in the title keystorage unit 545, then outputs the resulting content to the contentrecording unit 551 and the hash calculation and unsigned data generationunit 560.

The content recording unit 551 records the content output by theencryption unit 550 to the recording medium device 600.

The hash calculation and unsigned data generation unit 560 divides thecontent output by the encryption unit 550 into a plurality of portionsand calculates a hash value for each portion, generates unsigned data 70(see FIG. 13A) with the hash values so calculated as hash data(reference signs 71 through 73), and outputs the result to the unsigneddata and content transmission unit 561. The unsigned data 70 generatedby the hash calculation and unsigned data generation unit 560 alsoinclude supplementary information 74, as appropriate.

The unsigned data and content transmission unit 561 transmits theunsigned data 70 output by the hash calculation and unsigned datageneration unit 560 to the key distribution device 400. The unsigneddata and content transmission unit 561 also receives positiondesignation information from the key distribution device 400, extracts acontent portion designated by the position designation information soreceived from the plain-text content output by the content acquisitionunit 520, and outputs the content portion to the key distribution device400.

The transportation unit 570 relays communications data between the keydistribution device 400 and the recording medium device 600. With theexception of data pertaining to control, such as stop notifications, thetransportation unit 570 serves as a relay between the key distributiondevice 400 and the recording medium device 600 without knowing thecontent of the data being communicated. Communications between the keydistribution device 400 and the recording medium device 600,particularly those concerning the calculated title key, are performedwith the data being encrypted using the common key generated in themutual authentication process by the key distribution device 400 and therecording medium device 600. Given that the common key is common only tothe key distribution device 400 and the recording medium device 600, theterminal device 500 is, of course, unable to decrypt and reference thecalculated title key data during relay. That is, the calculated titlekey is protected during transportation.

The MAC reading unit 580 reads the MAC value from the recording mediumdevice 600 on which the content is recorded and outputs the value to thefirst playback determination unit 582.

The UR reading unit 581 reads the UR pertaining to content playback fromthe recording medium device 600 and outputs the UR to the title keyrecalculation unit 546.

The first playback determination unit 582 uses the title key stored inthe title key storage unit 545 to calculate a MAC value for therecording medium ID output by the recording medium device ID acquisitionunit 531, then determines whether or not the MAC value so calculatedmatches that recorded on the recording medium device 600 as output bythe MAC reading unit 580. The first playback determination unit 582grants the content reading unit 586 permission to read the content whenthe MAC values match, and does not grant such permission when the MACvalues do not match. That is, content playback is controlled so as todepend on the determination results from the first playbackdetermination unit 582. When not granting permission to read thecontent, the first playback determination unit 582 displays anotification to such effect for the user on a television or similaroutput device via the content decryption unit 590 and the contentplayback unit 591.

The signed data reading unit 585 reads the signed data 76 for thecontent to be played back from the recording medium device 600 andoutputs the data to the second playback determination unit 587.

When permitted to read the content by the first playback determinationunit 582, the content reading unit 586 reads the content to be playedback from the recording medium device 600 and outputs the content to thesecond playback determination unit 587 and to the content decryptionunit 590.

The second playback determination unit 587 verifies the signature 78 ofthe signed data 76 recorded on the recording medium device 600 andoutput by the signed data reading unit 585 using the root public keystored in the root public key storage unit 511 and the key distributiondevice public key written in the key distribution device certificate 10received during the mutual authentication with the key distributiondevice 400. When the signature 78 is valid, the second playbackdetermination unit 587 also calculates hash values for the contentportions resulting from division of the content recorded on therecording medium device 600 and output by the content reading unit 586,then determines whether or not the hash values so calculated match thehash values (reference signs 71 through 73) in the signed data 76. Thesecond playback determination unit 587 permits the content decryptionunit 590 to decrypt the content when the hash values match, and does notdo so when the hash values do not match. That is, content playback iscontrolled so as to depend not only on the determination results fromthe first playback determination unit 582 but also from thedetermination results from the second playback determination unit 587.When not granting permission to decrypt the content, the second playbackdetermination unit 587 displays a notification to such effect for theuser on a television or similar output device via the content decryptionunit 590 and the content playback unit 591.

The content decryption unit 590 acquires plain-text content bydecrypting the content recorded on the recording medium device 600 andoutput by the content reading unit 586 using the title key stored in thetitle key storage unit 545, then outputs the plain-text content to thecontent playback unit 591.

The content playback unit 591 plays back the plain-text content outputby the content decryption unit 590 on the television or similar playbackdevice.

(Process by Terminal Device 500)

First, the reception and writing process by the terminal device 500 isdescribed.

FIG. 18 is a flowchart indicating the reception and writing process bythe terminal device 500.

The order of operations for the reception and writing process made up ofsteps S510 through S549 is given as an example. No limitation isintended regarding the order of the steps. For example, while step S530is executed upon receipt of a writeout request operation, which includesa designation of content to be written, from the user of the terminaldevice 500, step S510 may be performed at any time provided that theoperations thereof are complete before step S530 begins.

As indicated, while manufacturing the terminal device 500, the terminaldevice manufacturing apparatus stores the terminal device private keyand certificate 20 in the terminal device private key and certificatestorage unit 510 of the terminal device 500 and stores the root publickey in the root public key storage unit 511 (step S510).

The content acquisition unit 520 acquires the content distributed by thecontent production device 100. Given circumstances, such as those ofAACS managed copy, in which content recorded in an AACS-supportedprotected format on the BD is acquired and copied onto a memory card,such as an SD card, in a different protected format, the contentrecorded on the BD, being encrypted in the AACS-supported protectedformat, is decrypted in order to obtain plain-text content.

The content ID acquisition unit 521 acquires the content ID from thecontent acquired by the content acquisition unit 520.

The writeout authentication request transmission unit 522 generateswriteout authentication request data 40, which includes the content IDacquired by the content ID acquisition unit 521, for transmission to thecontent distribution authentication device 300 (step S530).

The authentication result and authentication ID reception unit 523receives the results of the authentication performed by the contentdistribution authentication device 300 according to the writeoutauthentication request data 40 transmitted during step S530, anddetermines whether or not the received authentication result indicatessuccess (step S531).

When the authentication result indicates failure (FAIL in step S531),the authentication result and authentication ID reception unit 523notifies the user that the content cannot be written through a displayon a (non-diagrammed) display unit of the terminal device 500 (stepS549). The terminal device 500 then concludes the reception and writingprocess.

However, when the received authentication result indicates success(SUCCESS in step S531), the authentication result and authentication IDreception unit 523 additionally receives the authentication ID. Thewriteout request transmission unit 532 generates writeout request data50, made up of the authentication ID received by the authenticationresult and authentication ID reception unit 523 and the recording mediumdevice ID acquired by the recording medium device ID acquisition unit531 through the mutual authentication process performed by the mutualauthentication unit 530 with the recording medium device 600, andtransmits the writeout request data 50 so generated to the keydistribution device 400 (step S535).

The MAC, UR, and signed data reception unit 541 repeatedly determineswhether or not any data have been received from the key distributiondevice 400 (step S536). Upon receipt of determination results indicatingthat the writeout request is not granted (Determination Results in stepS536), the user is notified that the content cannot be written through adisplay on the (non-diagrammed) display unit of the terminal device 500(step S549). The terminal device 500 then concludes the reception andwriting process.

Conversely, upon receipt of the MAC value for the recording mediumdevice ID of the recording medium device 600 and the UR for the contentcorresponding to the authentication ID in the writeout request data 50transmitted during step S536 (MAC value in step S536), the MAC, UR, andsigned data reception unit 541 outputs the MAC value and the UR soreceived to the MAC, UR, and signed data recording unit 542. The MAC,UR, and signed data recording unit 542 records the MAC value and URoutput by the MAC, UR, and signed data reception unit 541 to therecording medium device 600. Further, the title key acquisition unit 540acquires the calculated title key from the recording medium device 600through the encryption and decryption unit 533 (step S540).

The title key recalculation unit 546 calculates a hash value for the URoutput by the MAC, UR, and signed data reception unit 541, calculatesthe original title key by applying the simple set of reversibleoperations, such as XOR, to the calculated hash value and to thecalculated title key acquired by the title key acquisition unit 540, andstores the original title key in the title key storage unit 545.Further, the encryption unit 550 encrypts the plain-text contentacquired by the content acquisition unit 220 using the title key storedin the title key storage unit 545 (step S541).

When the content encrypted by the encryption unit 550 has been dividedinto a plurality of portions, the hash calculation and unsigned datageneration unit 560 calculates a hash value for each portion andgenerates unsigned data 70 using the hash values so calculated as hashdata (reference signs 71 through 73). The unsigned data and contenttransmission unit 561 also transmits the unsigned data 70 generated bythe hash calculation and unsigned data generation unit 560 to the keydistribution device 400.

The unsigned data and content transmission unit 561 also receivesposition designation information from the key distribution device 400,and extracts a content portion as designated by the position designationinformation so received from the plain-text content acquired by thecontent acquisition unit 520 for transmission to the key distributiondevice 400 (step S542).

The MAC, UR, and signed data reception unit 541 repeatedly determineswhether or not any data have been received from the key distributiondevice 400 (step S543). Upon receipt of determination results indicatingthat the unsigned data 70 are illegitimate (Determination Results instep S543), the user is notified that the content cannot be writtenthrough a display on the (non-diagrammed) display unit of the terminaldevice 500 (step S549). The terminal device 500 then concludes thereception and writing process.

Conversely, when the MAC, UR, and signed data reception unit 541receives the signed data 76 (Signed Data in step S543), the MAC, UR, andsigned data recording unit 542 records the signed data 76 onto therecording medium device 600. Also, the content recording unit 551records the content acquired in step S541 onto the recording mediumdevice 600 (step S545). The terminal device then concludes the receptionand recording process.

Next, the playback process by the terminal device 500 is described.

FIG. 19 is a flowchart indicating the playback process by the terminaldevice 500.

The playback process illustrated below begins when, for example, aplayback request operation, which includes a designation of content tobe played back, is received from the user of the terminal device 500.

The UR reading unit 581 of the terminal device 500 reads the UR of thecontent to be played back from the recording medium device 600, on whichthe content is recorded. The mutual authentication unit 530 performsmutual authentication with the recording medium device 600, sharing acommon key therewith. Also, the title key acquisition unit 540 acquiresthe calculated title key from the recording medium device 600 throughthe encryption and decryption unit 533 (step S550).

The title key recalculation unit 546 calculates a hash value for the URread by the UR reading unit 581, acquires the original title key byapplying the simple set of reversible operations, such as XOR, to thecalculated hash value and to the calculated title key acquired by thetitle key acquisition unit 540, and stores the original title key in thetitle key storage unit 545. The MAC reading unit 580 reads the MAC valuecorresponding to the content being read from the recording medium device600 (step S551).

The first playback determination unit 582 uses the title key stored inthe title key storage unit 545 to calculate a MAC value for therecording medium device ID acquired by the recording medium device IDacquisition unit 531, then determines whether or not the MAC value socalculated matches that of the recording medium device ID read by theMAC reading unit 580 (step S552).

When the MAC values do not match (NO in step S552), the first playbackdetermination unit 582 prevents content playback by not permitting thecontent reading unit 586 to read the content. The first playbackdetermination unit 582 also notifies the user to the effect that thecontent cannot be played back through a display on a television orsimilar output device via the content decryption unit 590 and thecontent playback unit 591 (step S580). The terminal device 500 thenterminates the playback process.

Conversely, when the first playback determination unit 582 determinesthat the two MAC values match (YES in step S552), the signed datareading unit 585 reads the signed data 76 corresponding to the contentfrom the recording medium device 600 on which the content is recorded.The content reading unit 586 reads the content to be played back fromthe recording medium device 600 (step S555).

The second playback determination unit 587 verifies the signature 78 ofthe signed data 76 read during step S555 using the root public keystored in the root public key storage unit 511 and the key distributiondevice public key written in the key distribution device certificate 10received during mutual authentication with the key distribution device400. When the signature 78 is legitimate and the content read duringstep S555 is divided into a plurality of portions, the second playbackdetermination unit 587 calculates hash values for each of the contentportions, then determines whether or not the hash values so calculatedmatch the hash values (reference signs 71 through 73) in the signed data76 (step S556).

When the hash values do not match (NO in step S556), the second playbackdetermination unit 587 prevents content playback by not granting thecontent decryption unit 590 the permission to decrypt the content. Thesecond playback determination unit 587 also notifies the user to theeffect that the content cannot be played back through a display on atelevision or similar output device made via the content decryption unit590 and the content playback unit 591 (step S580). The terminal device500 then terminates the playback process. The second playbackdetermination unit 587 may also perform step S580 when the signature 78is found to be illegitimate in step S556. The terminal device 500 thenterminates the playback process.

Conversely, when the second playback determination unit 587 determinesthat the hash values match (YES in step S556), the content decryptionunit 590 decrypts the content read during step S555 using the originaltitle key calculated during step S551. The content playback unit 591plays back the content so decrypted by output to the television orsimilar output device (step S560). The terminal device 500 thenconcludes the playback device.

(Configuration of Recording Medium Device 600)

FIG. 20 is a block diagram illustrating the functional configuration ofthe principal components of the recording medium device 600.

As shown, the recording medium device 600 includes a recording mediumdevice private key and certificate storage unit 610, a root public keystorage unit 611, a mutual authentication unit 620, a title key storageunit 630, an encryption and decryption unit 640, a content storage unit660, a UR storage unit 670, a MAC storage unit 680, and a signed datastorage unit 690.

The recording medium device 600 includes a processor and a memory. Thefunctions of the mutual authentication unit 620 and the encryption anddecryption unit 640 are each realized by having the processor execute aprogram stored in the memory.

The recording medium device private key and certificate storage unit 610is a memory area for storing a recording medium device private key andpaired certificate 30. In practice, the writing of the recording mediumdevice private key and certificate 30 to the recording medium deviceprivate key and certificate storage unit 610 is realized by a recordingmedium manufacturing apparatus writing the private key and certificate30 generated by the key issuance device 200 during manufacture of therecording medium device 600. The details of the writing method forwriting the recording medium device private key and certificate 30 areomitted.

The root public key storage unit 611 is a memory area for storing theroot public key. In practice, the writing of the root public key to theroot public key storage unit 611 is realized during manufacture of therecording medium device 600 by the recording medium manufacturingapparatus writing the root public key generated by the key issuancedevice 200. The details of the writing process for the root public keyare omitted.

The mutual authentication unit 620 performs mutual authentication withthe key distribution device 400 and with the terminal device 500,sharing a common key and exchanging certificates (the key distributiondevice certificate 10, the terminal device certificate 20, and therecording medium device certificate 30) therewith. The operationsinvolved in the mutual authentication are as described above (see FIG.12).

The title key storage unit 630 is a memory area for storing thecalculated title key, and for security purposes, is not readable in anormal file system. That is, the calculated title key stored in thetitle key storage unit 630 is only readable by the terminal device 500upon successful authentication by the mutual authentication unit 620.

The encryption and decryption unit 640 uses the common key generatedduring the mutual authentication process by the mutual authenticationunit 620 to encrypt the data at transmission time and decrypt the dataat reception time, and thus securely exchanges communications data withthe key distribution device 400 and with the terminal device 500.Specifically, the encryption and decryption unit 640 receives, from thekey distribution device 400, the calculated title key encrypted usingthe common key shared with the key distribution device 400 and uses thecommon key to decrypt title key for storage in the title key storageunit 630. Also, in response to a request from the terminal device 500,the encryption and decryption unit 640 encrypts the calculated title keystored in the title key storage unit 630 using the common key sharedwith the terminal device 500, and transmits the results thereto.Accordingly, the calculated title key is securely passed between therecording device 600 and both of the terminal device 500 and between therecording device 600 and the key distribution device 400.

The content storage unit 660 is a memory area for storing content. Theterminal device 500 performs content reading and writing in this memoryarea.

The UR storage unit 670 is a memory area for storing the UR. Theterminal device 500 performs UR reading and writing in this memory area.

The MAC storage unit 680 is a memory area for storing the MAC value ofthe recording medium device ID. The terminal device 500 performs MACvalue reading and writing in this memory area.

The signed data storage unit 690 is a memory area for storing the signeddata 76. The terminal device 500 performs signed data 76 reading andwriting there.

(Write Process by Recording Medium Device 600)

FIG. 21 is a flowchart indicating the write process by the recordingmedium device 600.

The order of operations for the writing process made up of steps S610through S670 is given as an example, below. No limitation is intendedregarding the order of the steps. For example, provided that step S610is complete before step S620 begins, and that step S630 is performedafter step S620 is complete, steps S630 through S650 may be performed inany order. Also, the order of steps S660 and S670 may be as stated orreversed, provided that steps S660 and S670 are performed after stepsS630 through S650.

While manufacturing the recording medium device 600, the recordingmedium manufacturing apparatus stores the recording medium deviceprivate key and certificate 30 in the recording medium device privatekey and certificate storage unit 610 and stores the root public key inthe root public key storage unit 611 of the recording medium device 600(step S610).

Given an access request from the key distribution device 400 or from theterminal device 500, the mutual authentication unit 620 performs mutualauthentication with the requesting device to confirm that the device istrustworthy and to simultaneously generate a common key therewith. Insubsequent communications, data are secured by encryption and decryptionwith this common key (step S620). The mutual authentication unit 620determines whether or not the terminal device ID of the terminal device500 included in the terminal device certificate 20 acquired during themutual authentication process is listed in a revoke file. The revokefile is a separately transmitted and stored list of revoked devices. Inthe affirmative case, the mutual authentication unit 620 deems theterminal device 500 to be illegitimate, cancels all subsequentcommunication therewith, and concludes the writing process.

Once step S620 is complete, the encryption and decryption unit 640receives the calculated title key from the key distribution device 400for storage in the title key storage unit 630 (step S630).

The terminal device 500 also stores the UR in the UR storage unit 670and the MAC value for the recording medium device ID in the MAC storageunit 680 (steps S640 and S650).

The terminal device 500 also stores the content in the content storageunit 660 and the signed data 76 in the signed data storage unit 690(steps S660 and S670). The recording medium device 600 then concludesthe writing process.

Although the reading process performed by the recording medium device600 is not specifically illustrated, the process is performed uponreceipt of an access request (read request) from the terminal device500.

That is, the calculated title key stored in the title key storage unit630 is read out by the terminal device 500 via the encryption anddecryption unit 640 during the mutual authentication process by themutual authentication unit 620. Also, the content stored in the contentstorage unit 660, the UR stored in the UR storage unit 670, the MACvalue stored in the MAC storage unit 680, and the signed data 76 storedin the signed data storage unit 690 are similarly read out by theterminal device 500.

<Supplement>

(1) In the exemplary Embodiment, the recording medium device 600 isdescribed as an SD card or similar memory card. This is intended as anexample. For example, the recording medium device 600 may be an HDD(Hard Disk Drive) or similar storage device incorporating a control LSI(Large Scale Integration) in any device, such as a mobile phone, aproprietary terminal for viewing eBooks, or another mobile device inwhich the memory device is incorporated and that is not a removablememory card.(2) In the exemplary Embodiment, data communication between the terminaldevice 500 and the key distribution device 400, between the terminaldevice 500 and the recording medium device 600, and between the keydistribution device 400 and the recording medium device 600 involvesprotection using a common key shared during mutual authentication.However, this is intended as an example. Rather than using the commonkey for data protection, a secure communication technology such as HTTPS(Hypertext Transfer Protocol over Secure Socket Layer) may be used.(3) In the above-described exemplary Embodiment, the terminal device 500performs transmission. However, no limitation is intended thereby.Rather than having the terminal device 500 perform transmission, the keydistribution device 400 or the recording medium device 600 may beinstructed to perform transmission by a terminal device other than theterminal device 500, and thus be configured to perform datatransmission.(4) In the exemplary Embodiment, the first playback determination unit582 of the terminal device 500 uses the MAC value for the recordingmedium device ID of the recording medium device 600 to determine whetherto perform or prevent content playback. However, this is intended as anexample. The calculated title key may also be used, for example.Specifically, when the calculated title key has been obtained byapplying an XOR operation to the title key and to the hash value of theUR, an additional XOR operation may be applied to the calculated titlekey and the recording medium device ID of the recording medium device600 or to the hash value thereof, and the result of the XOR operationmay then be used. Alternatively, the key issuance device 200 or the keydistribution device 400 may simply sign the recording medium device IDof the recording medium device 600, and the first playback determinationunit 582 may then verify the signature to determine whether to performor prevent content playback.(5) In the exemplary Embodiment, the signature unit 152 of the contentproduction device 100 applies a signature to the content ID in order toprevent tampering therewith. However, the signature by the signatureunit 152 may also be accompanied or replaced with a signature by the keyissuance device 200.(6) In the exemplary Embodiment, the terminal device 500 is a DVD or BDplayer, and the content produced by the content production device 100 isdistributed to the terminal device 500 via a recording medium such as aBD. However, the content produced by the content production device 100may also be modified for distribution to the terminal device 500 overthe Internet. Specifically, a variant of the content distribution system1000 described in the Embodiment may further include a contentdistribution device. In this variant, the terminal device 500 is notlimited to a DVD or BD player but may also be a personal computercapable of connecting to the Internet. The content produced by thecontent production device 100 is then registered by the contentdistribution device and distributed to the terminal device 500 by amethod such as streaming over the Internet or being downloaded from thecontent distribution device.(7) As described in the exemplary Embodiment, when, as shown in FIG. 9,the authentication of the writeout authentication request data 40 fromthe terminal device 500 is successful (YES in step S330), the contentdistribution authentication device 300 generates the authentication IDfor transmission to the terminal device 500 (step S340), and transmitsthe authentication ID and paired UR to the key distribution device 400(step S350).

However, the authentication ID may be generated in advance rather thanduring step S340, and such a pre-generated authentication ID may then betransmitted in steps S340 and S350. Also, in variation (6) describedabove, the content distribution authentication device 300 may performsteps S340 and S350 every time the content is downloaded.

When this variation is employed, the timing of authentication ID and URreception in step S420 of the pre-distribution process performed by thekey distribution device 400 indicated in FIG. 14 may be modified tomatch.

(8) In the exemplary Embodiment, the position designation informationgenerated by the position designation unit 460 of the key distributiondevice 400 is information indicating the position and size of a contentportion subject to hash value comparison by the verification unit 462,taken from the content that the terminal device 500 is attempting towrite onto the recording medium device 600.

However, the position designation information may also designate theposition and size of each of a plurality of such portions, as contentportions subject to hash value comparison. In other words, the contentportion may be made up of a plurality of portions of the content thatthe terminal device 500 is attempting to write to the recording mediumdevice 600.

Also, the position designation information is not limited to indicatinga portion of the content that the terminal device 500 is attempting towrite onto the recording medium device 600, and may alternativelyindicate the entirety of such content.

(9) In the exemplary Embodiment, when the MAC values do not match, thefirst playback determination unit 582 of the terminal device 500inhibits content playback by not permitting the content reading unit 586to read the content. However, the first playback determination unit 582may also inhibit content playback by not permitting the contentdecryption unit 590 to decrypt the content, or by not permitting thecontent playback unit 591 to decode or output the content to the outputdevice.

Also, in the exemplary Embodiment, when the hash values do not match,the second playback determination unit 587 of the terminal device 500inhibits content playback by not permitting the content decryption unit590 to decrypt the content. However, the second playback determinationunit 587 may also inhibit content playback by not permitting the contentplayback unit 591 to decode or output the content to the output device.

(10) As described in the exemplary Embodiment, the title key storageunit 630 of the recording medium device 600 stores the calculated titlekey. However, the raw, uncalculated title key for the key distributiondevice 400 generated by the title key generation unit 450 may also betransmitted to the recording medium device 600, such that the recordingmedium device 600 stores the raw title key (the key distribution device,terminal device, and recording medium device pertaining to thisvariation are hereinafter respectively termed the variant keydistribution device, the variant terminal device, and the variantrecording medium device).

Specifically, as indicated in FIG. 25, the variant key distributiondevice replaces step S460 of the process performed by the keydistribution device 200 and indicated in FIG. 15 with step S460 a. Thatis, the title key transmission unit of the variant key distributiondevice transmits the title key generated by the title key generationunit 450 to the recording medium device 600 via the encryption anddecryption unit 455 (step S460 a).

Also, as shown in FIG. 26, the variant terminal device replaces stepsS540 and S541 of the process performed by the terminal device 500 andindicated in FIG. 18 with steps S540 a and S541 a. In other words, theMAC, UR, and signed data recording unit 542 of the variant terminaldevice records the MAC value and UR output by the MAC, UR, and signeddata reception unit 541 to the recording medium device 600. Further, thetitle key acquisition unit of the variant terminal device acquires thetitle key from the recording medium device 600 via the encryption anddecryption unit 533 (step S540 a) for storage in the title key storageunit 545. Also, the encryption unit 550 encrypts the plain-text contentacquired by the content acquisition unit 220 using the title key storedin the title key storage unit 545 (step S541 a).

Also, as shown in FIG. 27, the variant terminal device replaces stepsS550 and S551 of the process performed by the terminal device 500 andindicated in FIG. 19 with steps S550 a and S551 a. That is, the titlekey acquisition unit of the variant terminal device acquires the titlekey from the recording medium device 600 via the encryption anddecryption unit 533 for storage in the title key storage unit 545 (stepS550 a). Also, the MAC reading unit 580 reads the MAC valuecorresponding to the content to be played back from the recording mediumdevice 600 (step S551 a).

Further, as shown in FIG. 28, the variant recording medium devicereplaces step S630 of the process performed by the recording mediumdevice 600 and indicated in FIG. 21 with step S630 a. That is, theencryption and decryption unit 640 of the variant recording mediumdevice receives the title key from the key distribution device 400 forstorage in the title key storage unit 630 (step S630 a).

(11) Each component described in the exemplary Embodiment may berealized in whole or in part as an integrated circuit on a single chipor on multiple chips, or may be realized as a computer program or insome other manner.

Also, the components described in the exemplary Embodiment realize theeffects thereof in cooperation with the processor of the device in whicheach respective component is included (i.e., the content productiondevice 100, the key issuance device 200, the content distributionauthentication device 300, the key distribution device 400, the terminaldevice 500, and the recording medium device 600).

(12) A program for causing the processor to run the devices described inthe exemplary Embodiment (i.e., the content production device 100, thekey issuance device 200, the content distribution authentication device300, the key distribution device 400, the terminal device 500, and therecording medium device 600) (see FIGS. 3, 6, 9, 14, 15, 18, 19, and 21)may be recorded on a recording medium or distributed through varioustypes of communication lines. The recording medium may be an IC card, ahard disk, an optical disc, a floppy disc, ROM, flash memory, orsimilar. The program so distributed is provided for use by storage inprocessor-readable memory in the relevant device. The processor realizesthe functions of the device (i.e., the content production device 100,the key issuance device 200, the content distribution authenticationdevice 300, the key distribution device 400, the terminal device 500,and the recording medium device 600), as described in the Embodiment, byhaving the processor execute the relevant program.(13) Variations (1) through (12), described above, may be applied to theentirety of or to a subset of the devices making up the contentdistribution system 1000 pertaining to the exemplary Embodiment.(14) A variant configuration for the content recording control system,server device, and terminal device is described below, along with theeffects thereof, as a variant Embodiment of the present disclosure.(a) As shown in FIG. 22, a terminal device 2500 pertaining to anon-limiting aspect of the present disclosure records content onto arecording medium device 2600, a permission to record the content ontothe recording medium device 2600 being granted by a server device 2400,the terminal device 2500 comprising: a generation unit 2510 generating avalue calculated so as to represent subject content for which apermission to record onto the recording medium device 2600 is requested;an information transmission unit 2520 requesting the permission from theserver device 2400 to record the subject content onto the recordingmedium device 2600 by transmitting information indicating the valuegenerated by the generation unit 2510 to the server device 2400; asignature reception unit 2530 receiving subject content signature datafrom the server device 2400, the subject content signature data beingtransmitted by the server device 2400 upon granting the permission torecord the subject content onto the recording medium device 2600; and arecording unit 2540 recording the subject content onto the recordingmedium device 2600 as one of plain-text data and encrypted data, as wellas the subject content signature data received by the signaturereception unit 2530.

The server device 2400, the terminal device 2500, and the recordingmedium device 2600 correspond, for example, to the key distributiondevice 400, the terminal device 500, and the recording medium device 600of the exemplary Embodiment. Also, the generation unit 2510 correspondsto the hash calculation and unsigned data generation unit 560 of theexemplary Embodiment, while the information transmission unit 2520corresponds to the unsigned data and content transmission unit 561 ofthe exemplary Embodiment, for example. Further, for example, thesignature reception unit 2530 corresponds to the MAC, UR, and signeddata reception unit 541 of the Embodiment, while the recording unit 2540corresponds to the MAC, UR, and signed data recording unit 542 combinedwith the content recording unit 551 of the exemplary Embodiment.

The terminal device 2500 records the subject content to the recordingmedium device 2600 once the server device 2400 grants the permission torecord the content onto the recording medium device 2600. Thus, therecording of content for which no permission to record onto therecording medium device 2600 has been granted, such as illegitimatelyduplicated content, is inhibited.

Also, the terminal device 2500 records the signed data transmitted bythe server device 2400 onto the recording medium device 2600, as well asthe content. Accordingly, a legitimate playback device is controlled soas to not play back content having no signed data recorded therewith.Thus, content hypothetically recorded onto the recording medium deviceby a hacked terminal device 2500 without receiving the permission fromthe server device 2400 is not permitted to be played back.

(b) Also, the generation unit optionally generates a hash value for thesubject content to serve as the value.

The terminal device transmits information indicating the hash value ofthe subject content. Thus, the server device is able to specify thesubject content for which permission to record onto the recording mediumdevice is requested. This is based on the fact that different contentwill normally result in a different hash value.

(c) Also, optionally, the generation unit generates the hash value foreach of a plurality of content portions making up the subject content,and upon receipt of designation information designating one or more ofthe content portions, the information transmission unit furthertransmits each designated content portion to the server device asdesignated by the designation information transmitted by the serverdevice in order to determine whether or not to grant the permission.

The terminal device transmits a portion of the subject content to theserver device as indicated in designation information received from theserver device. Accordingly, the server device determines whether or notto grant the permission to record the subject content onto the recordingmedium device by calculating a hash value from the portion of thesubject content, matching the calculated hash value with the hash valuefor the subject content received from the terminal device, and makingthe determination in accordance with the results.

(d) Optionally, the data recorded onto the recording medium device bythe recording unit result from encryption of the subject content using atitle key for the subject content.

The terminal device encrypts the subject content using the title keythereof prior to recording onto the recording medium device. The subjectcontent is thus protected.

(e) As shown in FIG. 22, a server device 2400 pertaining to anon-limiting aspect of the present disclosure determines whether or notto grant to a terminal device 2500 a permission to record content onto arecording medium device 2600, the server device 2400 comprising: aninformation reception unit 2410 receiving information from the terminaldevice 2500, the information indicating a value calculated so as torepresent subject content for which a permission to record onto therecording medium device 2600 is requested; a determination unit 2420determining whether or not to grant the permission to record the subjectcontent onto the recording medium device 2600 depending on the valueindicated in the information received by the information reception unit2410; a signature unit 2430 generating subject content signature datawhen the determination unit 2420 grants the permission to record; and asignature transmission unit 2440 transmitting the subject contentsignature data generated by the signature unit 2430 to the terminaldevice 2500.

The information reception unit 2410 corresponds to the unsigned data andcontent reception unit 461 of the exemplary Embodiment, while thedetermination unit 2420 corresponds to the verification unit 462 of theexemplary Embodiment, for example. Also, the signature unit 2430corresponds to the signature unit 470 of the exemplary Embodiment, whilethe signature transmission unit 2440 corresponds to the signed datatransmission unit 471 of the exemplary Embodiment, for example.

The server device 2400 determines whether or not to grant the permissionto record the subject content onto the recording medium device 2600according to the information indicating the value calculated so as torepresent the subject content. Accordingly, the server device 2400 isable to identify the subject content for which the permission to recordonto the recording medium device 2600 has been granted.

When permission to record the subject content onto the recording mediumdevice 2600 is granted, signed data for the subject content aregenerated and transmitted to the terminal device 2500. Accordingly, alegitimate playback device is controlled so as to not play back contenthaving no signed data recorded therewith. Thus, content hypotheticallyrecorded onto the recording medium device by a hacked terminal device2500 without receiving the permission from the server device 2400 is notpermitted to be played back.

(f) Optionally, the information received by the information receptionunit indicates hash values each calculated for one of a plurality ofcontent portions making up the subject content, the server devicefurther comprises a designation unit generating designation informationand transmitting the designation information to the terminal device, thedesignation information designating one or more of the content portionsto be transmitted by the terminal device upon receipt of the informationby the information reception unit, the information reception unitfurther receives each designated content portion transmitted by theterminal device in response to the designation information transmittedby the designation unit, and the determination unit determines whetheror not matching occurs between: a designated hash value of the portiondesignated in the designation information generated by the designationunit, among the hash values in the information received by theinformation reception unit, and a calculated hash value for thedesignated content portion received by the information reception unit,and grants the permission to record the subject content onto therecording medium device upon matching.

The designation unit corresponds to the position designation unit 460 ofthe exemplary Embodiment.

The server device calculates a hash value for the designated portion ofthe subject content, and grants the permission to record the subjectcontent onto the recording medium device when matching occurs betweenthe calculated hash value and the hash value of the portion as indicatedin the information received from the terminal device. Accordingly, anunwanted situation, such as recording content onto the recording mediumdevice by exchanging the content on the terminal device, is preventedfrom occurring.

(g) Optionally, the designation unit generates position informationindicating a position within the subject content for at least onerandomly-selected content portion among the content portions making upthe subject content for use as the designation information.

The server device randomly selects the content portion. Accordingly, anunwanted situation, such as recording content onto the recording mediumdevice by partially exchanging the content on the terminal device, isprevented from occurring.

(h) Optionally, the server device further comprises an authenticationinformation reception unit receiving authentication informationtransmitted to the server device and to the terminal device from anauthentication device upon authenticating the subject content as beingpre-registered, in response to a request from the terminal device; atitle key generation unit generating one of a plain-text title key andan encrypted title key for the subject content upon receipt ofauthentication information transmitted by the terminal device thatmatches the authentication information received by the authenticationinformation reception unit, the key being used by the terminal devicewhen recording the subject content onto the recording medium device asencrypted data; and a title key transmission unit transmitting one ofthe title key generated by the title key generation unit and acalculated title key generated by applying a predetermined operation tothe title key to the recording medium device for recording.

The authentication device corresponds, for example, to the contentdistribution authentication device 300 of the exemplary Embodiment.Also, for example, the authentication information reception unitcorresponds to the authentication ID and UR reception unit 421 of theexemplary Embodiment, the title key generation unit corresponds to thetitle key generation unit 450 of the exemplary Embodiment, and the titlekey transmission unit corresponds to the title key transmission unit 454of the exemplary Embodiment.

When the subject content is authenticated by the authentication deviceas being pre-registered, the server device generates the title key andrecords the title key, or a calculated title key calculated therefrom,onto the recording medium device. Accordingly, the terminal deviceencrypts the subject content using the title key or the calculated titlekey prior to recording onto the recording medium device. As such, theserver device prevents the recording of subject content onto a recordingmedium where the title key or the calculated title key has not beenrecorded.

(i) As shown in FIG. 22, a content recording control system pertainingto a non-limiting aspect of the present disclosure comprises: a serverdevice 2400 determining whether or not to grant a permission to recordcontent onto a recording medium device 2600; and a terminal device 2500recording the content onto the recording medium device 2600, thepermission to record the content onto the recording medium device 2600being granted by the server device 2400, the terminal device 2500comprising: a generation unit 2510 generating a value calculated so asto represent subject content for which a permission to record onto therecording medium device 2600 is requested; an information transmissionunit 2510 requesting the permission from the server device 2400 torecord the subject content onto the recording medium device 2600 bytransmitting information indicating the value generated by thegeneration unit 2510 to the server device 2400; a signature receptionunit 2530 receiving subject content signature data from the serverdevice 2400, the subject content signature data being transmitted by theserver device 2400 upon granting the permission to record the subjectcontent onto the recording medium device 2600; and a recording unit 2540recording the subject content onto the recording medium device 2600 asone of plain-text data and encrypted data, as well as the subjectcontent signature data received by the signature reception unit 2530,and the server device 2400 comprising: an information reception unit2410 receiving the information transmitted by the terminal device 2500;a determination unit 2420 determining whether or not to grant thepermission to record the subject content onto the recording mediumdevice 2600 depending on the value indicated in the information receivedby the information reception unit 2410; a signature unit 2430 generatingsubject content signature data when the determination unit 2420 grantsthe permission to record; and a signature transmission unit 2440transmitting the subject content signature data generated by thesignature unit 2430 to the terminal device 2500.

The terminal device 2500 of the content recording control system 2000records the subject content onto the recording medium device 2600 oncethe server device 2400 grants the permission to record the content ontothe recording medium device 2600. Thus, the recording of content forwhich no permission to record onto the recording medium device 2600 hasbeen granted, such as illegitimately duplicated content, is inhibited.

Also, the terminal device 2500 records the signed data transmitted bythe server device 2400, as well as the subject content, onto therecording medium device 2600. Accordingly, a legitimate playback deviceis controlled so as to not play back content having no signed datarecorded therewith. Thus, subject content hypothetically recorded ontothe recording medium device by a hacked terminal device 2500 withoutreceiving the permission from the server device 2400 is prevented frombeing played back.

Also, the server device 2400 of the content recording control system2000 determines whether or not to permit recording of the subjectcontent onto the recording medium device 2600 according to theinformation indicating a value calculated so as to represent thecomposition of the subject content. Accordingly, the server device 2400is able to identify the subject content for which the permission torecord onto the recording medium device 2600 has been granted.

(j) As shown in FIG. 23, a recording method pertaining to a non-limitingaspect of the present disclosure is used by a terminal device recordingcontent onto a recording medium device, a permission to record thecontent onto the recording medium device being granted by a serverdevice, the recording method comprising: a generation step S10 ofgenerating a value calculated so as to represent subject content forwhich a permission to record onto the recording medium device isrequested; an information transmission step S11 of requesting thepermission from the server device to record the subject content onto therecording medium device by transmitting information indicating the valuegenerated in the generation step S10 to the server device; a signaturereception step S12 of receiving subject content signature data from theserver device, the subject content signature data being transmitted bythe server device upon granting the permission to record the subjectcontent onto the recording medium device; and a recording step S13 ofrecording the subject content onto the recording medium device as one ofplain-text data and encrypted data, as well as the subject contentsignature data received in the signature reception step S12.

The processes of the generation step S10 and the informationtransmission step Si 1 correspond to the generation of the unsigned dataand the subsequent transmission process indicated in step S542 of FIG.18, for example. Also, the processes of the signature reception step S12and the recording step S13 correspond to the reception determinationprocess of step S453 and the signed data and content recording processof step S545, indicated in FIG. 18, for example.

According to this recording method, the terminal device records thesubject content onto the recording medium device once the server devicegrants the permission to record the content onto the recording mediumdevice. Thus, the recording of content for which no permission to recordonto the recording medium device has been granted, such asillegitimately duplicated content, is inhibited.

Also, according to this recording method, the terminal device recordsthe signed data transmitted by the server device, as well as the subjectcontent, onto the recording medium device. Accordingly, a legitimateplayback device is controlled so as to not play back content having nosigned data recorded therewith. Thus, subject content hypotheticallyrecorded onto the recording medium device by a hacked terminal devicewithout receiving permission from the server device is prevented frombeing played back.

(k) As shown in FIG. 24, a recording permission control methodpertaining to a non-limiting aspect of the present disclosure is used bya server device determining whether or not to grant to a terminal devicea permission to record content onto a recording medium device, therecording permission control method comprising: an information receptionstep S20 of receiving information from the terminal device, theinformation indicating a value calculated so as to represent subjectcontent for which a permission to record onto the recording mediumdevice is requested; a determination step S21 of determining whether ornot to grant the permission to record the subject content onto therecording medium device depending on the value indicated in theinformation received in the information reception step; a signature stepS22 b of generating subject content signature data when the permissionto record is granted in the determination step (YES in step S22 a); anda signature transmission step S23 of transmitting the subject contentsignature data generated in the signature step S22 b to the terminaldevice.

The process of the data reception step S20 corresponds to the unsigneddata reception process of step S465 indicated in FIG. 15, while theprocess of the determination step S21 corresponds to the hash valuedetermination process of step S470 also indicated in FIG. 15, forexample. Further, the processes of the signature step S22 b and of thesignature transmission step S23 correspond to the signed data generationand transmission process of step S475 indicated in FIG. 15.

According to this recording permission control method, the server devicedetermines whether or not to permit the recording of the subject contentonto the recording medium device according to the information indicatinga value calculated so as to represent the subject content. Accordingly,the server device is able to identify the subject content for which thepermission to record onto the recording medium device has been granted.

When permission to record the subject content onto the recording mediumdevice is granted, signed data for the subject content are generated andtransmitted to the terminal device. As such, according to this recordingpermission control method, a legitimate playback device is controlled soas to not play back content having no signed data recorded therewith.Thus, subject content hypothetically recorded onto the recording mediumdevice by a hacked terminal device without the permission from theserver device is prevented from being played back.

INDUSTRIAL APPLICABILITY

The terminal device of the present disclosure is applicable toinhibiting the recording of illegitimately duplicated content and thelike onto a recording medium device.

REFERENCE SIGNS LIST

-   -   100 Content production device    -   200 Key issuance device    -   300 Content distribution authentication device    -   400 Key distribution device    -   421 Authentication ID and UR reception unit    -   450 Title key generation unit    -   454 Title key transmission unit    -   460 Position designation unit    -   461 Unsigned data and content reception unit    -   462 Verification unit    -   470 Signature unit    -   471 Signed data transmission unit    -   500 Terminal device    -   560 Hash calculation and unsigned data generation unit    -   541 MAC, UR, and signed data reception unit    -   542 MAC, UR, and signed data recording unit    -   551 Content recording unit    -   561 Unsigned data and content transmission unit    -   600 Recording medium device    -   1000 Content distribution system

1-11. (canceled)
 12. A terminal device outputting content recorded on arecording medium device, the terminal device comprising: a reading unitreading, from the recording medium device, content subject to output,signature data for the content, and a title key, the signature dataincluding a hash value for each of a plurality of content pieces, aposition of each of the content pieces, and a size of each of thecontent pieces; a determination unit calculating the hash value for eachof the content pieces, determining whether calculated results match thehash value in the signature data for each of the content pieces, andpreventing playback of the content when there is no match; a decryptingunit decrypting the content with use of the title key; and an outputunit outputting decrypted content.
 13. The terminal device of claim 12,wherein the determination unit performs verification of the signaturedata read from the recording medium device and, when the signature datais valid, calculates the hash value for each of the content pieces withuse of the position and the size of each of the content pieces in thesignature data.
 14. The terminal device of claim 12, wherein, the titlekey read from the recording medium device by the reading unit is acalculated title key obtained by applying a reversible operation to anoriginal title key used to encrypt the content, the reading unitacquires a usage rule from the recording medium device, and thedecrypting unit applies the reversible operation to the calculated titlekey and calculates the original title key with the usage rule, anddecrypts the content using the original title key.
 15. A control methodused by a terminal device outputting content recorded on a recordingmedium device, comprising: reading, from the recording medium device,content subject to output, signature data for the content, and a titlekey, the signature data including a hash value for each of a pluralityof content pieces, a position of each of the content pieces, and a sizeof each of the content pieces; calculating the hash value for each ofthe content pieces, determining whether calculated results match thehash value in the signature data for each of the content pieces, andpreventing playback of the content when there is no match; decryptingthe content with use of the title key; and outputting decrypted content.16. The control method of claim 15, wherein verification is performed onthe signature data read from the recording medium device and, when thesignature data is valid, the hash value for each of the content piecesis calculated with use of the position and the size of each of thecontent pieces in the signature data.
 17. The control method of claim15, wherein, the title key read from the recording medium device is acalculated title key obtained by applying a reversible operation to anoriginal title key used to encrypt the content, a usage rule is acquiredfrom the recording medium device, and the reversible operation isapplied to the calculated title key to calculate the original title keywith the usage rule, and the content is decrypted using the originaltitle key.